Simplify Invites to users

[douginoz]

I was working with the Ombi dev on this idea. It stems from the problem of having users that simply can't have yet another password they need to remember - and that includes remembering their Plex login. Most of my users (and I'd say, most Plex end users) simply watch Plex on their TV type device. They've logged in perhaps 2 or 3 times over the past 2-3 years, if only because of some update or reset that forced them to re-login. Otherwise, they just use Plex, which is the whole point of Plex - just using it.

These sort of "mom and pop" users don't use a password manager and likely use the same password for banking as they do for Facebook. They're not technical and I don't want to force them to be technical.

The problem I had with Ombi isn't really a lack of functionality or bug-ridden code. It's simply that it required too much setup on mine and their behalf to get it working. And whenever I changed things on my end (as a tech guy, that's often), it would break their use of Ombi or force them to have to ask me to help them. Which I abhor doing.

So it's essential that any sort of request system be developed with those users in mind. After all, admins and other tech-savvy people don't need Ombi, or petio, or anything polished in order to get things done. So these sort of apps need to cater to the sort of user that can intuit most of the app's functionality, without resorting to asking for help.

The concept I had with Ombi was born from the need of the Ombi app to do a complicated set of registration steps in order to link the app to my Ombi server. And it required users to create yet another password that they're absolutely never going to remember a week later, which was about the length of time it took for me to break something and force them to re-log on.

So I came up with the idea of having a button in the Admin's user details screen of Ombi that I could click. The button would email out a unique url to the user. The user would just have to read the email on their phone/tablet, tap on the Ombi icon to install the app, then tap on the link. The link would take them into the Ombi app, which would use the url and string to connect to my Petio server, and with the unique string in the URL, associate the user to the app and to Petio.

Since there's no Petio app, that step isn't needed. So clicking on the Invite button in the email would simply open up their browser, which would connect to my server.

Here's how it would work from start to finish.

As admin, when I want to send out an invite to my Plex users, I go into the user details screen and click on the Invite button to send a link. Clicking on the button does the following:

creates a unique one-time string - "zdfgjhdfghzdfg4w45r3kjdhfg" in this example

emails the user an html email containing an invite blurb and an invite button. The button contains the URL of my server along with the string, e.g. "https://myperrsonalpetio.duckdns.org?t=zdfgjhdfghzdfg4w45r3kjdhfg"

upon successful sending of the email, saves a timestamp of when the string/invite was created/sent.

The user receives the email and taps on the Invite button

Their browser opens up and goes to that URL

My petio server identifies it as an invite, and looks up the string against all currently outstanding invites

When it finds it, it checks that the invite hasn't expired by looking at the timestamp and some preset expiry duration

If it's expired, return something to the requester telling them the invite expired and to request another one

If the invite hasn't expired but has already been filled, send something back to the requester indicating that the invite is no longer valid

At this point, we know the invite is valid and hasn't expired. So:

generate a unique password string and store it against the user
encrypt the login name and password in a return string to the requestor along with the valid petio url
do whatever html stuff needs to happen for the user's browser to then log on to petio. Something needs to tell the browser to save the login credentials so that we don't need to ever log on manually again.
the petio server sees that the user has successfully logged on and updates the user record accordingly, removing the unique invite string, invite date, etc.

At the end of it then, the user has simply tapped on an Invite button in an email, and they've now logged in to Petio without ever seeing a login screen. They should be taken to a Welcome screen that reminds them to bookmark Petio and create a desktop icon thing so that they can easily get into petio at any time. When the user subsequently goes to the petio url via that icon thing, they don't see a login screen because the login details were transmitted invisibly. The only time they'd see a login screen is if they manually went to my server's url ie. "https://https://myperrsonalpetio.duckdns.org" - but they should never do that, because they were never given that url or see it anywhere.

So we end up with a simple secure way to invite moms and dads to Petio. They click on an icon, Petio opens in their browser and logs them in automatically. They then save an icon desktop thing that they use for all future access.

This provides the simplest way that doesn't force users to remember any urls or new login / passwords. It can also be incorporated into the invite logic of any future native mobile app. While it's currently possible to use the Plex login, most of my users have no idea what their Plex login is. Either I installed it on their smartTV 2 years ago (and I don't keep records), or they have long forgotten it once they got Plex working on their phone/laptop. And as the server admin, I really don't want phone calls from users telling me that they don't know their Plex login. Or Petio login.

[LukeHagar]

You basically just described OAuth

[LukeHagar]

I have the same problems, and I love the problem solving here. I’m happy to help anyway I can